Search This Blog

Tuesday, June 18, 2019

SSPR and only allow registration of security information from trusted location

At our last Mindcore Tech event, we took a closer look at Self-service Password reset in Azure AD.

One question we did not have the time to pursue, was how to only allow entering security information from a trusted location.

We have SSPR setup and users are required to setup security information at first logon as explained here:

https://blog.mindcore.dk/2019/03/azure-active-directory-azure-ad-self.html

In this test we will only allow entering security information from our company IP address.

First we create a new user to use for this test (blockuser).

image

Blockuser will be added to the AD group pwdresetgrp, because this is the group we used in the previous post about SSPR, we will also use this group for the conditional access policy.

image

Next step is to create a new Conditional Access Policy in Azure AD.

image

Name the policy and in Users and groups select the group pwdresetgrp to be included in this policy.

image

In Cloud apps or actions select user actions and Register security information.

image

In Conditions select locations and include Any location.

image

We will exclude our Company IP address (Mindcore location) and trusted MFA IPs.

image

Select to block access.

image

Then enable the policy and create.

image

In this example the location Mindcore is created as an IP address range.

image

Now let try from an unknown IP address and do a first time login with the user blockuser.

image

Password.

image

We will still see the More information required.

image

But since this is an untrusted location we will get You cannot access this right now.

image

Changing location to a secure location (Mindcore IP address), we will see this instead:

image

Mindcore Tech https://www.linkedin.com/groups/12247201/

No comments:

Post a Comment